N3uron Web User Interface Privilege Escalation Vulnerability via Insecure Password Hashing

A privilege escalation vulnerability has been identified in the N3uron Web User Interface versions 1.21.7-240207.1047, 1.21.6-230825.1720, and 1.21.13-250422.0858. This vulnerability allows remote attackers to escalate privileges by exploiting client-side password hashing that uses the MD5 algorithm, applied over a predictable string format. The issue arises from excessive data exposure through WebSocket communications, inadequate authorization checks on sensitive configuration endpoints, and the use of a weak cryptographic scheme for password hashing. As a result, low-privileged authenticated users can access password hashes of higher-privileged accounts, potentially leading to unauthorized access and privilege escalation within the application.

Impact

Exploitation of this vulnerability allows low-privileged users to access password hashes of all registered users, including those with higher privileges. The weak MD5-based hashing scheme can be cracked offline, enabling attackers to impersonate users and escalate privileges within the application.

Reproduction

To reproduce this vulnerability, log into the N3uron Web User Interface with a low-privileged account. Once logged in, access the 'Config - Roles - Users/Groups' endpoint through the WebSocket interface. This will expose password hashes for all users, including those with elevated privileges. The client-side hashing implementation can be exploited by applying a custom Hashcat rule to crack the MD5 hashes more efficiently.